How to Set Password Expiration Policies in Batch Script
Setting a strong password policy is a fundamental security measure for any Windows computer, whether it's a standalone server or a multi-user workstation. A good policy enforces rules like how long a password can be used before it must be changed and how long it must be. For local user accounts, these settings can be configured directly from the command line using the built-in NET ACCOUNTS utility.
This guide will teach you how to use the NET ACCOUNTS command to view and modify the password policies for all local user accounts on a machine. You will learn the key parameters for setting password expiration, length, and history, and understand the critical difference between local policy and domain policy.
The Core Command: NET ACCOUNTS
The NET ACCOUNTS command is the primary tool for managing the user account policy database on a local machine. It allows you to set system-wide rules for all local user accounts.
Important: This command sets the policy for all local users at once. You cannot use it to set a different policy for each user. This command must be run with administrator privileges.
Key Password Policy Parameters Explained
| Parameter | Description | Example |
|---|---|---|
/MAXPWAGE:<days> | Maximum Password Age. The number of days a password is valid before it expires. Use UNLIMITED to never expire. | /MAXPWAGE:90 |
/MINPWAGE:<days> | Minimum Password Age. The minimum number of days a user must wait before they can change their password again. | /MINPWAGE:1 |
/MINPWLEN:<length> | Minimum Password Length. The minimum number of characters a password must have. | /MINPWLEN:8 |
/UNIQUEPW:<number> | Unique Password History. Remembers the last N passwords so a user cannot reuse them. | /UNIQUEPW:5 |
How to View the Current Password Policy
Before changing anything, you should always check the current settings. Running NET ACCOUNTS with no arguments will display the current policy.
@ECHO OFF
ECHO --- Displaying Current Local Password Policy ---
ECHO.
NET ACCOUNTS
Output:
--- Displaying Current Local Password Policy ---
Force user logoff how long after time expires?: Never
Minimum password age (days): 0
Maximum password age (days): 42
Minimum password length: 0
Length of password history maintained: None
Lockout threshold: Never
Lockout duration (minutes): 30
Lockout observation window (minutes): 30
Computer role: WORKSTATION
The command completed successfully.
How to Change the Password Policy
To change the policy, you simply add the switches and values you want to set.
This script sets a moderately strong password policy. It must be run as an Administrator.
@ECHO OFF
ECHO --- Applying a New Local Password Policy ---
ECHO.
NET ACCOUNTS /MAXPWAGE:90 /MINPWAGE:1 /MINPWLEN:8 /UNIQUEPW:5
IF %ERRORLEVEL% EQU 0 (
ECHO [SUCCESS] The password policy has been updated.
) ELSE (
ECHO [FAILURE] The command failed. See error message above.
)
After running this, if you run NET ACCOUNTS again, you will see the new values reflected.
How the Command Works (Local vs. Domain Policy)
The NET ACCOUNTS command directly modifies the local Security Account Manager (SAM) database policy. This is the central database that stores all local user accounts and their security settings.
It is critical to understand the difference in behavior on different types of machines:
- On a Standalone/Workgroup Computer:
NET ACCOUNTSsuccessfully sets the password policy for all local users. - On a Domain-Joined Computer: The password policy is almost always controlled by Group Policy (GPO) from the Domain Controllers. While
NET ACCOUNTSwill display the domain policy, it will fail to change it, as the domain policy overrides any local settings.
Common Pitfalls and How to Solve Them
Problem: "Access is denied." (Administrator Privileges)
This is the number one reason for failure.
Solution: The script must be run from an elevated command prompt. Right-click your .bat file or cmd.exe and select "Run as administrator."
Problem: The Command Has No Effect on a Domain-Joined Machine
You run the NET ACCOUNTS /MAXPWAGE:90 command, it completes successfully, but when you run NET ACCOUNTS again, the value is still the old one.
Solution: This is the expected behavior on a domain-joined computer. Group Policy is authoritative. You cannot override the domain's password policy with a local command. To change the policy, you must do so in the "Default Domain Policy" or another GPO on a Domain Controller.
Practical Example: A Security Hardening Script for a Standalone Server
This script is designed to be run on a new, non-domain-joined server to enforce a strong local password policy as part of its initial setup.
@ECHO OFF
SETLOCAL
TITLE Local Security Policy Hardener
REM This script must be run as an Administrator.
ECHO --- Applying a Strong Local Password Policy ---
ECHO This will enforce the following settings:
ECHO - Passwords expire every 90 days.
ECHO - Passwords must be at least 12 characters long.
ECHO - The last 10 passwords cannot be reused.
ECHO.
PAUSE
REM --- Set the password policy ---
NET ACCOUNTS /MAXPWAGE:90 /MINPWLEN:12 /UNIQUEPW:10
REM --- Set the account lockout policy ---
REM Lock account after 5 failed attempts for 15 minutes.
NET ACCOUNTS /LOCKOUTTHRESHOLD:5 /LOCKOUTDURATION:15
ECHO.
ECHO [INFO] Displaying the newly applied policy:
NET ACCOUNTS
ENDLOCAL
Conclusion
The NET ACCOUNTS command is the definitive, built-in tool for managing the password policy for local user accounts from a batch script.
Key takeaways for using it successfully:
- You must run the script as an Administrator.
- The command sets the policy for all local users on the machine.
- This command will not work on domain-joined machines where Group Policy is in effect.
- Use switches like
/MAXPWAGE,/MINPWLEN, and/UNIQUEPWto enforce strong password security.